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Abstract. We answer a question of Paterson, showing that all block systems 
for the group generated by the round functions of a key-alternating block cipher 
are the translates of a linear subspace. Following up remarks of Paterson and 
Shamir, we exhibit a connection to truncated differential cryptanalysis. 

We also give a condition that guarantees that the group generated by the 
round functions of a key-alternating block cipher is primitive. This applies in 
particular to AES. 



1. Introduction 

Kenneth Paterson [12j has considered iterated block ciphers in which the group 
generated by the one-round functions acts imprimitively on the message space, 
with the aim of exploring the possibility that this might lead to the design of 
trapdoors. The blocks of imprimitivity he uses are the translates (cosets) of a 
linear subspace. He asked whether it is possible to construct other, non-linear 
blocks of imprimitivity. 

In the first part of this paper we answer this question in the negative for key- 
alternating block ciphers, and exhibit a connection to truncated differential crypt- 
analysis, following up remarks of Paterson and Shamir. 

We then develop a conceptual recipe to guarantee that the group generated by 
the one-round functions of a key-alternating block cipher acts primitively on the 
message space. We show that the conditions we require are satisfied in a natural 
way by AES. 
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2. Preliminaries 

Let G be a finite group, acting transitively on a set V. We write the action 
of an element g G G on an element a G V on the right, that is, as ag. Also, 
aG = { ag : g G G } is the orbit of a under G, and G a = { g G G : ag = a} is the 
stabilizer of a in G. 

A partition of V is a family £> of nonempty subsets of V such that any element 
of V lies in precisely one element of B. A partition B is said to be G-invariant if 
for any B G B and g G G, one has 5p G £>. A G-invariant partition B is said to 
be trivial if B = {V }, or B = {{a} : a e V }. 

A non-trivial, G-invariant partition of V is said to be a system for the 

action of G on V. If such a block system exists, then we say that G is imprimitive 
in its action on V (equivalently, G acts imprimitively on V), primitive otherwise. 
An element B of some block system B is called a block; since G acts transitively 
on V, we have then B = { Bg : g G G }. 

We note the following elementary 

Lemma 2.1 (pQ, Theorem 1.7). Lei G be a finite group, acting transitively on a 
set V. Let a G V. 

Then the blocks B containing a are in one-to-one correspondence with the sub- 
groups H , with G a < H < G. The correspondence is given by B = aH . 
In particular, G is primitive if and only if G a is a maximal subgroup of G. 

We will need a fact from the basic theory of finite fields. (See for instance [S] or 
jHJ.) Write GF(p n ) for the finite field with p n elements, p a prime. 

Lemma 2.2. GF(p n ) C GF(p m ) if and only if n divides m. 

In the rest of the paper, we tend to adopt the notation of 
Let V = V(n&, 2), the vector space of dimension over the field GF(2) with 
two elements, be the state space. V has 2 nb elements. 

For any v G V, consider the translation by v, that is the map 

a v : V -»■ V, 

w i— > W + V. 

In particular, <7o is the identity map on V. The set 

T = {a v :veV} 

is an elementary abelian, regular subgroup of Sym(V). In fact, the map 

V —>T 

(2.1) 

V I — ► (7 V 

is an isomorphism of the additive group V onto the multiplicative group T. 

We consider a key- alternating block cipher (see Section 2.4.2 of [2]) which con- 
sists of a number of iterations of a round function of the form pa^. (Recall that 
we write maps left-to-right, so p operates first.) Here p is a fixed permutation 
operating on the vector space V = V(n&, 2), and k G V is a round key. (According 
to the more general definition of [2], p might depend on the round.) Therefore 
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each round consists of an application of p, followed by a key addition. This covers 
for instance AES with independent subkeys. Let G = ( pa k : k G V ) the group of 
permutations of V generated by the round functions. Choosing k = we see that 
peG, and thus T < G. It follows that G= (T,p). 

3. IMPRIMITIVITY 

Kenneth Paterson |12J has considered iterated block ciphers in which the group 
generated by the one-round functions acts imprimitively on the message space, 
with the aim of exploring the possibility that this might lead to the design of 
trapdoors. The blocks of imprimitivity he uses are the translates (cosets) of a 
linear subspace. He asked whether it is possible to construct other, non-linear 
blocks of imprimitivity: 

Can "undetectable" trapdoors based on more complex systems of 
imprimitivity be inserted in otherwise conventional ciphers? It is 
easily shown that, in a DES-like cipher, any [block] system based 
on a linear sub-space and its cosets leads to a noticeable regularity 
in the XOR tables of small S-boxes. It seems that we must look be- 
yond the "linear" systems considered here, or consider other types 
of round function. 

In a personal communication [13J, Paterson remarks further 

At the FSE conference where it was presented, Adi Shamir told 
me that he could break the scheme using a truncated differential 
attack [. . . ] 

Truncated differential cryptanalysis has been introduced in jTj by L. R. Knudsen; 
see also the approach in [T3j . 

In this section we answer Paterson's question for the key-alternating block ci- 
phers described above, by showing 

Theorem 3.1. Let G be the group generated by the round functions of a key- 
alternating block cipher. Suppose G acts imprimitively on the message space. Then 
the blocks of imprimitivity are the translates of a linear subspace. 

Proof. In the notation above, suppose G acts imprimitively on V. 

If G has a nontrivial block system, this is also a block system for T. So if B is 
a block system for G, and B G B is the block containing 0, because of Lemma f2. II 
we have B = OH, for some 1 < H < T . Because of the isomorphism (|2.1jl . we 
have 

H = { or u : u G U } , 

for a suitable subspace U of V, with U ^ { } , V. Since T = {a v : v € V } is 
abelian, we have 

B = { Ba v : v G V } = { 0Ha v : v G V } = { 0a v H : v G V } = 

= {vH :v eV} = {v + U :v eV}. 
This completes the proof of the first implication. The converse is immediate. □ 
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4. Truncated differential cryptanalysis 

We now develop a relation to truncated differential cryptanalysis, elaborating 
on Shamir's comment. 

Suppose G acts imprimitively on the message space V, and use the notation of 
the proof of Theorem 13. II Let v & V. Now vHp is the block containing v-l-p = vp, 
so that 

vHp = vpH, 

for all v. This means that for all v £ V and u 6 {/ there is u' £ U such that 

va u p = (v + u)p = vp + u' = vpo u t. 

In other words we have the following connection to truncated differential crypt- 
analysis. 

Corollary 4.1. Suppose G acts imprimitively on the message space V. 

Then there is a subspace U ^ { } , V such that ifv,v + u £ V are two messages 
whose difference u lies in the subspace U , then the output difference also lies in U. 

In other words, if v £ V and u £ U, then 

(4.1) (v + u)p + vp £ U. 

Conversely, if the last condition holds, then G acts imprimitively on V . 

To our understanding, a subspace U as in Corollary 14 . 1 1 could indeed be used as 
a trapdoor as in Paterson's scheme, and still be difficult to detect. This is most 
clear when U is chosen to have dimension half of that of V. To a cryptanalyst who 
knows U, the complexity of a brute force search is reduced from \V\ to 2a/| V|. 
However, the number of subspaces of a given dimension m of a finite vector space 
of (even) dimension n over GF(2) is largest for m = n/2, and is 0(2 m ). If U is 
not just given by the vanishing of some of the defining bits, it appears to us that 
it might be hard to find. Because of this, in the next section we approach the 
problem of proving in a conceptual way that such a U does not exists for a given 
key-iterated block cipher. 

5. Ensuring primitivity 

Ralph Wernsdorf has proved in that the group G generated by the round 
functions of AES with independent subkeys is the alternating group Alt(n). Thus 
G is definitely primitive on V. 

In the following we review this consequence of Wernsdorf 's result from a con- 
ceptual point of view. This comes in the form of a recipe for the group generated 
by the round functions of a key-alternating block cipher to be primitive. We will 
show that this recipe is satisfied by AES in a rather natural way. 

We begin with making the description of a key-alternating block cipher we gave 
in Section El more precise. (Again, we are staying close to the notation of 0.) 
We assume p = 7 A, where 7 and A are permutations. Here 7 is a bricklayer 
transformation, consisting of a number of S-boxes. The message space V is written 
as a direct sum 

V = V 1 ®---®V nt , 
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where each V, has the same dimension m over GF(2). For v G V, we will write 

v — v i + h v nt , where Vi G V*. Also, we consider the projections 7Tj : V — > Vi, 

which map v t— > fj. We have 

^7 = ^i7i © • • • ®v nt j nt , 

where the 7i are S-boxes, which we allow to be different for each Vi. 
A is a linear mixing layer. 

In AES the S-boxes are all equal, and consist of inversion in the field GF(2 8 ) 
with 2 8 elements (see later in this paragraph), followed by an affine transformation. 
The latter map thus consists of a linear transformation, followed by a translation. 
When interpreting AES in our scheme, we take advantage of the well-known pos- 
sibility of moving the linear part of the affine transformation to the linear mixing 
layer, and incorporating the translation in the key addition (see for instance [TU]). 
Thus in our scheme for AES we have m = 8, we identify each Vi with GF(2 8 ), 
and we take xji = x 2& ~ 2 , so that ji maps nonzero elements to their inverses, and 
zero to zero. As usual, we abuse notation and write x^i = x~ x . Note, however, 
that with this convention xx^ 1 = 1 only for x^O. 

Our result, for a key-alternating block cipher as described earlier in this section, 
is the following. 

Theorem 5.1. Suppose the following hold: 

(1) O7 = and 7 2 = \, the identity transformation. 

(2) There is 1 < r < m/2 such that for all i 

• for all 7^ v G Vi, the image of the map Vi — > Vi, which maps x 1— ► 
(x + v )7i + x'ji, has size greater than 2 m ~ r ~ 1 , and 

• there is no subspace ofVi, invariant under 7^ of codimension less than 
or equal to 2r. 

(3) No sum of some of the Vi (except { } and V) is invariant under A. 
Then G is primitive. 

We note immediately 

Lemma 5.2. AES satisfies the hypotheses of Theorem \5.1\ 

Corollary 5.3. The group generated by the round functions of AES with indepen- 
dent subkeys is primitive. 

Proof of Lemma \5. 6 A Condition (pQ) is clearly satisfied. 

So is (JBJ), by the construction of the mixing layer. In fact, suppose U 7^ { } is 
a subspace of V which is invariant under A. Suppose, without loss of generality, 
that U D V\. Because of MixColumns [2J 3.4.3], U contains the whole first column 
of the state. Now the action of Shif tRows [2J 3.4.2] and MixColumns on the first 
column shows that U contains four whole columns, and considering (if the state 
has more than four columns) once more the action of Shif tRows and MixColumns 
one sees that U — V . 

The first part of Condition (j2J) is also well-known to be satisfied, with r = 1 
(see |H] but also [Sj). We recall the short proof for convenience. For a ^ 0, the 
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map GF(2 8 ) — > GF(2 8 ), which maps x i— > (x + a)~ 1 +x~ 1 , has image of size 2 7 — 1. 
In fact, if b ^ a -1 , the equation 

(5.1) (x + a)' 1 + x- 1 = b 

has at most two solutions. Clearly x = 0, a are not solutions, so we can multiply 
by x(x + a) obtaining the equation 

(5.2) x 2 + ax + ab^ 1 = 0, 

which has at most two solutions. If b = a -1 , equation (j5.ip has four solutions. 
Two of them are x = 0, a. Two more come from ()5.2|) . which becomes 

x 2 + ax + a 2 = a 2 ■ ((x/a) 2 + x/a + l) =0. 

By Lemma l2~2l GF(2 8 ) contains GF(4) = { 0, 1, c, c 2 }, where c, c 2 are the roots of 
y 2 +y + l = 0, Thus when b = a~ l equation (|5.1|) has the four solutions 0, a, ac, ac 2 . 
It follows that the image of the map x h-» (x + a) -1 + x^ 1 has size 




as claimed. 

As to the second part of Condition (J2j), one could just use GAP [Tj to verify that 
the only nonzero subspaces of GF(2 8 ) which are invariant under inversion are 
the subfields. According to Lemma f2. 21 the largest proper one is thus GF(2 4 ), of 
codimension 4 > 2 = 2r. However, this follows from the more general Theorem l6.ll 
which we give in the Appendix. □ 

Proof of Theorem \5.1\ Suppose, by way of contradiction, that G is imprimitive. 
According to Corollary 14.11 there is a subspace U ^ { } , ^ of 7 such that if 
v , v + u G V are two messages whose difference u lies in the subspace U, then the 
output difference also lies in U, that is 

(v + u)p + vp E U. 

Since A is linear, we have 

Fact 1. For all u G U and v G V we have 

(5.3) (v + u)7 + f 7 G UX- 1 = W, 

where W is also a linear subspace of V, with dim(W r ) = dim([/). 

Setting t> = in (|5.3j) . and because of Condition ((TJ), we obtain 

Fact 2. Uj = W and = C/. 

Now if [/ 7^ { }, we will have Ui\i 7^ { } for some i. We prove some increas- 
ingly stronger facts under this hypothesis. 

Fact 3. Suppose Un ^ { } for some i. Then W n 7< 7^ { }. 
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Let u G U, with Ui 7^ 0. Take any 7^ v j G V^. Then (it + t>j)7 + 1^7 G W, and 
also «7 G W, by FactEJ It follows that wy+ (u+Vi)j+v i 'y G W. The latter vector 
has all nonzero components but for the one in Vi, which is Ui r y i + («i+%)7i+fi7i G 
WnVi. If the latter vector is zero for all G Vi, then the image of the map V$ — > Vi, 
which maps Vi t— > (v j + «i)7i + fi7i, is { Wj7j }, of size 1. This contradicts the first 
part of Condition (J2J). 

Clearly (W n Vi) 7 = [/n^. It follows 

Fact 4. Suppose [/7Tj 7^ { } for some i. Then [/ D V* ^ { }. 

Finally we obtain 
Fact 5. Suppose Uiti 7^ { } for some z. Then [/ D V^. 

According to Fact|U there is ^ Ui G C/ D V^. By the first part of Condition (J2J) 
the map VJ — > Vi, which maps x > (x + ui)^ + 27^ has image of size > 2 m ~ r_1 . 
Since this image is contained in the linear subspace W fl Vi, it follows that the 
latter has size at least 2 m_r , that is, codimension at most r in V,. The same holds 
for U D V, = (W fl Vi)7. Thus the linear subspace C/ fl VT fl V^ has codimension at 
most 2r in VJ. In particular, it is different from {0}, as m > 2r. From Fact El it 
follows that U fl W fl Vi is invariant under 7. By the second part of Condition (j2J) 
we have U fl W fl V^ = V^, so that {7 D V^ as claimed. 

From Fact 03 we obtain immediately 

Fact 6. U is a direct sum of some of the Vi, and W = U 

The second part follows from the fact that W = Uj, and V^7 = Vi for all i. 
Since U = W\ by (j5.3j) . we obtain U = U\, with [/ 7^ { } , V. This contradicts 
Condition (J3J), and completes the proof. □ 

The proof of Theorem 15.11 can be adapted to prove a slightly more general 
statement, in which Conditions (JTJ and (J2J) are replaced with 

(1') O7 = and 7 s = 1, for some s > 1. 
(2') There is 1 < r < m/s such that for all % 

• for all 7^ v G Vi, the image of the map Vi — > Vi, which maps 
x 1— > (x + f )7i + X7i, has size greater than 2 m ~ r ~ 1 , and 

• there is no proper subspace of V,, invariant under 7$, of codimension 
less than or equal to sr. 

6. Appendix 

We are grateful to Sandro Mattarei (see , and also [3] , for more general results) 
for the following 

Theorem 6.1. Let F be a field of characteristic two. Suppose U 7^ is an additive 
subgroup of F which contains the inverses of each of its nonzero elements. Then 
U is a subfield of F. 

Proof. Hua's identity, valid in any associative (but not necessarily commutative) 
ring A, shows 

(6.1) a + ((a-r 1 )" 1 -a' 1 )- 1 = aba 
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for a, b G A, with a, 6, a6 — 1 invertible. 

First of all, 1 G U. This is because U has even order, and each element different 
from 0, 1 is distinct from its inverse. 

Now fnj) for 6 = 1, and a G C/\{ 0, 1} shows that for aeU, also a 2 G U. (This 
is clearly valid also for a = 0, 1.) It follows that any c G U can be represented in 
the form c = a 2 for some a G [7. Now ()6.1j) shows that {7 is closed under products, 
so that U is a subring, and thus a subfield, of F. □ 
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